In this topic: We talk about passwordless from Mozilla.
Token-based authentication middleware for Express & Node.js. Passwords are broken. Inspired by Justin Balthrop's article Passwords are Obsolete token-based one-time password (OTPW) authentication is faster to deploy, better for your users, and more secure.
Few issues with this that I've already noticed, it's not better for users in any way. I was excited to see what Mozilla could come up with here, but, it doesn't solve any situation. For those that don't understand how it works, imagine you've forgotten your password, and you reset the password by entering your email address, you then receive an email with a unique token which takes you to reset it. Well it's that, but you don't set a new password, you're just logged in. Which, while easier than resetting your password, means that, to log into a website, you need to go to that site, enter an email address, go to your email (or other method, discussed shortly) and click the link which takes you back to the other site. This isn't in anyway easier.
Now they say that you can incorporate other methods for sending the token, SMS for example, but this is worse, why would you log in on a computer, then get the token on your phone, you then have to type out a stupidly long token back into your browser, or become forced to login on your phone.
I don't see what this solves.
I'm a huge fan of two-factor authentication, and it's one of those ideas that's been banging 'round my head for the past little while. It's a neat idea and works well in practice because people have always got their phones on them.
SMS 2-factor auth still has one annoying barrier, and that is relying on cell phone networks to deliver the token. I hate that.
I much prefer HOTP (or even better, TOTP), where all I have to do is register the secret once on my phone, and I can use it to derive the token anywhere, even in places where I don't have signal (which annoyingly, happens a lot).